.. to scan.
It worked in a few examples locally. Other hosts I tried so far weren't
available anymore (like scanme.nmap.org). In order to reduce the burden
we scan now only during PRs.
This commit modifies run_fs() to show the signature algorithms the server supports in the ServerKeyExchange message for TLS 1.2 and in the CertificateVerify message for TLS 1.3.
Signature algorithms are not shown for TLS 1.1 and earlier, since for those protocol versions the signature algorithm to use is specified by the protocol. While the signature algorithm used in TLS 1.1 and earlier is weak, testssl.sh already warns if these protocol versions are supported.
This commit fileout() calls to ciphers_by_strength() and cipher_pref_check() to indicate whether or not the server enforces a cipher order for a protocol version.
See #2127. the line seems very long though.
Note: this was previously commited as #2184 but as there were two mistakes
and one other thing which could be improved I decided to make a hard reset.
Apologize if it caused inconvenience.
This commit adds a check that ./testssl.sh has both read and execute permission. If ./testssl.sh is lacking execute permission, it will pass the tests in 00_testssl_help.t and 01_testssl_banner.t that run the program as `bash ./testssl.sh`, but will fail the subsequent tests that run the program as `./testssl.sh`, but the reason for the failure will not be clear.
Respect changed HSTS epoch time of 180 days.
(DROWN output is changed too as the certificated changed but doesn't matter
as the travis check filters that)
Workaround for bug see #1717. In addition: Bring the test closer to a cleaner style,
as the others
Should --ids-firednly could be as well be removed when travis runs faster.
Often in the past travis was hitting a limit (50min?).
This is a try to make reasonable cuts to the unit tests:
- For STARTTLS some checks with OPenSSL are skipped
- For JSON and HTML outputs --ids-friendly was added assumming we
don't change the output of ticketbleed, CCSI, HeartBleed and ROBOT any more.
- There's also not point to run those checks against badssl
- for the diff check we switch to 'or diag' to display a dfifference